
By Ian Cohen, CEO, LOKKER
Banks operate in one of the most heavily regulated industries, and this includes the sharing of personal data and browsing habits collected on their websites by third parties. This obviously includes sensitive financial and personally identifiable information, but it also extends well beyond the type of data. Beyond state and federal privacy laws and Gramm-Leach-Bliley, banks must also navigate a complex landscape of consumer protection laws enforced by agencies like the CFPB, FTC, and state-level organizations, as well as private lawsuits brought by plaintiff’s counsel. These legal actions are increasingly citing unfair, deceptive, and abusive practices in regard to how companies collect user consent for third-party data sharing on their websites.
At the heart of these cases is often the issue of whether customers provided proper and informed consent or had the clear ability to opt-out of data collection. The lack of consent is central to many recent lawsuits over unlawful data collection via web tracking technology like pixels, tags, and session replay tools, scrutinized under laws such as state wiretapping acts, old laws like Video Privacy Protection Act (VPPA), and regulatory actions taken by the FTC. Companies often have a common misconception that simply having a consent banner on their website guarantees privacy compliance and shields them from liability. This is most often not the case.
Misconfigured Consent Banners Are a Liability
Unfortunately, simply having a consent banner doesn’t guarantee compliance. A consent banner is a contract with your website visitors, and if that contract isn’t correctly configured and honored, the consequences can be considerable.
In the U.S., organizations have started to receive demand letters calling out deceptive consent practices. Similarly, many of the legal claims and ensuing damages for violating state wiretapping laws, or illegally sharing data with a social media pixel, stem from not obtaining (or improperly obtaining) user consent. And even when a company’s intentions are good, if the end user isn’t given a clear way to opt out, and if that opt out isn’t correctly honored, which is often the case, the process can be deemed deceptive. This has already been seen in Europe under GDPR for some time now, where companies like Yahoo were fined millions because their consent banner still placed cookies without explicit consent. It’s now happening in the US at a rapidly increasing rate due the rapid change in state privacy laws.
The FTC has defined dark patterns as consent practices that mislead users by using interfaces designed to manipulate their consent choices (details in this report). These practices subvert user privacy choices, prompting more data collection than necessary.
However, in the vast majority of cases, the company isn’t intentionally trying to deceive users, they just have technical and operational issues with their consent banners not accurately reflecting a user’s consent choices.
Common Consent Missteps and Technical Limitations
While a consent banner is a necessary first step, it is by no means the only one. It’s the organization’s responsibility to ensure that the banner operates transparently and delivers as promised. There are three main issues for companies to pay attention to:
- Clear display: Common issues that lead to legal actions include pre-selected consent options, hidden decline buttons, confusing language, and making the opt-out process overly complex.
- Cookies and pixels are out of date: The list presented to end users isn’t complete and accurate. To ensure this doesn’t happen, you need to scan much more frequently than most companies do (weekly at the least). Ad tech is extremely dynamic and can change from day to day.
- Technical failures: Tracking technology is served even after a user selects “Reject All”.
Specifically, here are some common pitfalls:
- Missing banners on key pages, leading to data collection without consent. This can often happen on one off landing pages. If the banner is missing on a page, every user that enters on that page can be out of compliance.
- Subject Miscategorizations due to the absence of federal guidance, companies often misclassify non-essential tools as necessary, misleading users about their consent.
- Pre-emptive cookie drops, with over 90% of websites loading third-party cookies before the user can click ‘accept all’ on the consent banner. This puts the burden back on the organization to remove all of the first-party cookies after a user selects ‘reject all’ and prevent dropping third-party cookies until a consent state is chosen.
- Blocking failures occur when data collection continues despite users choosing ‘reject all’ on consent banners. This happens frequently. Why? Again, targeting tech is complex, dynamic and has been the basis of customizing websites and advertising for over 25 years.
- Overlooked tracking methods like fingerprinting, tracking pixels and piggybackers which are not covered by many consent management tools.
- Inconsistent opt-out settings across browsers and devices, leading to unintended data sharing.
- Inaccurate consent banners often fail to update in real-time, resulting in inaccurate or incomplete tracking technology disclosures and allowing unauthorized data collection without users’ explicit consent.
It’s crucial to evaluate whether your consent banner has any of the common issues outlined by scanning your website from the perspective of the end user, NOT the website operator. This should be done monthly at the least, but ideally more often. Start by auditing your consent banner to identify any potential problems, such as misconfigurations or deceptive design elements.
If you discover issues, assess whether you can address these issues with your consent management platform. There are also third-party tools that can verify consent banner compliance if needed.
In addition to improving your consent banner, consider implementing advanced privacy measures like real-time blocking of sensitive data. This technology can act as a critical last line of defense, preventing unauthorized data collection by web trackers and ensuring that user preferences are respected even if there are gaps in your consent management system.
By proactively addressing these issues and enhancing your privacy measures, you can better protect your bank from compliance risks and build greater trust with your users.
Prepare for Stricter Enforcement
Dodd-Frank gave the CFPB the authority to penalize financial institutions for engaging in deceptive acts under UDAAP. The FTC has also signaled its commitment to targeting companies that employ dark patterns in cookie banners, warning that deceptive consent practices violate the FTC’s Act and other regulations.
As privacy laws tighten and enforcement ramps up, banks must take proactive steps to ensure their consent practices are compliant and transparent. Missteps in this area could lead to significant fines, reputational damage, and potentially broader legal actions that put your firm in the spotlight. By addressing the limitations of consent management tools and ensuring informed user consent, banks can protect themselves from costly fines and business disruption.
The stakes are high, and now is the time for financial institutions to review their data collection practices before they face the growing wave of privacy-related regulations.